TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:18277] firewall question



Yes, this is correct. SSH1 binds to privileged source ports (1-1024) by
default. This is consistent with the SSH philosophy of "proving" your
trustworthiness by binding to a privileged port -- and as a result, you
will notice that, as only root has this privilege, your ssh binary is
likely installed setuid root. The security of this plan is arguable, which
is likely why they dispensed with it in SSH2.

Anyway, SSH1 usually picks source ports starting at 1000 for this; OpenSSH
starts a little lower at 950 IIRC. It then increments the source port for
every subsequent connection, provided no other service is bound to a given
port. You can either change your firewall rules to allow these ports, or
invoke ssh with the -P option to disable the use of a privileged source
port.



~Dan D.
Senior Systems Administrator
Bitstream Underground, LLC
danield@bitstream.net
(612)321-9290